Despite the ubiquity of file sharing services like OneDrive and Google Docs, many information workers are still using email to share documents and other files. Radicati reports that the number of business emails sent and received per day will reach 116.4 billion by the end of 2016, and a good number of them will include an attachment. Regardless of the potential version conflicts and security risks, email remains a fast and convenient way for users to review and collaborate on a document.

Because of the huge volume of documents that are shared via email each day, antivirus (AV) technologies around the world are constantly evaluating email attachments for potentially malicious files. Last week the threat detection community ran into a problem when a public domain AV signature provider wrongfully categorized all Microsoft .doc files as a virus. This led to a large number of legitimate Microsoft Word documents to be blocked from transmission when they encountered an AV layer.

In order to maintain an acceptable balance between user productivity and user safety, many vendors disabled the piece of AV technology that was blocking the documents affected by the false positive. This allowed the documents to be transmitted to the intended recipients, where endpoint AV could still defend the users from malicious attachments.

Yesterday, Barracuda Advanced Threat Detection Service detected a larger than usual amount of .doc files transmitting over email. The majority of these .doc files were malware and polymorphic in nature, which means that these files carried the same malicious intent, but their signatures would change in order to evade signature based AV solutions.

The above graph is taken from our Barracuda ATD system, and shows the surge in .doc files. The files represented here are unique files, with duplicate attacks removed. Based on the most recent data, 80% of these were malicious files. These were detected using our Barracuda Advanced Threat Detection microservice.

What lessons can we take from this data?

It should be immediately clear that criminals are constantly watching the security industry in an effort to find vulnerabilities and opportunities. In this case, they identified the opportune timing to attack due to the likely lowered security on .doc attachments. In the above graph, you can see that they reacted as soon as August 11, and then were able to launch a larger attack on August 15.

This brings us to another point that all readers should remember, which is that people have to remain vigilant and use multiple layers of protection. In this case, the false positives led to a greater need for non-signature based defenses.

Barracuda Advanced Threat Detection combines behavioral, heuristic, and sandboxing technologies to protect against zero hour and targeted attacks. ATD automatically scans email attachments in real-time, and suspicious attachments are detonated in a sandbox environment to observe behavior. In addition to blocking the attachment, the results are integrated into the Barracuda Real Time System providing protection for all other customers. Barracuda ATD is available in Barracuda Essentials for Email Protection, Barracuda Essentials for Office 365 and Barracuda NextGen Firewalls.

We also recommend that users always keep Microsoft Office and Windows in general up-to-date, as vendors regularly release security patches that can help reduce exposure to some attacks. Users should also stay observant regarding what attachments are opened, especially when running macros or following prompts within those attachments.

Fleming Shi is the Senior Vice President of Technology at Barracuda, where he leads the company’s cloud-enabled microservices technology innovation and integrations across the entire security and data protection portfolio. Connect with him on LinkedIn here.

Fleming Shi is the senior vice president of technology at Barracuda, where he leads the company’s cloud-enabled microservices technology innovation and integrations across the entire security and data protection portfolio. Connect with him on LinkedIn.